From 4e4c18bf6fa1a2be58c215f81d5046035ed150cd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?=
 <23639005+israel-hdez@users.noreply.github.com>
Date: Thu, 16 Jan 2025 15:49:48 -0600
Subject: [PATCH] Enable forwarding Authorization header in InferenceGraphs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This will configure all `InferenceGraph` workloads to forward the standard HTTP `Authorization` header to the backing `InferenceServices`.

The `Authorization` header is used to receive/send credentials and let ODH stack to validate access.

By enabling forwarding of the `Authorization` header, we cover the case when there is an (some) auth-protected InferenceService(s) as part of an InferenceGraph. Access is fine-grained, so access to an InferenceGraph does not guarantee access to some InferenceService. The user needs to provide credentials to all resources (IGs and ISVC) that the request needs to go through. Since each workload validates credentials on its own, credentials need to be forwarded to all workloads of an InferenceGraph.

Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com>
---
 config/overlays/odh/inferenceservice-config-patch.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/config/overlays/odh/inferenceservice-config-patch.yaml b/config/overlays/odh/inferenceservice-config-patch.yaml
index 9fada7f1c54..41bbcf170e3 100644
--- a/config/overlays/odh/inferenceservice-config-patch.yaml
+++ b/config/overlays/odh/inferenceservice-config-patch.yaml
@@ -60,7 +60,12 @@ data:
         "memoryRequest": "100Mi",
         "memoryLimit": "1Gi",
         "cpuRequest": "100m",
-        "cpuLimit": "1"
+        "cpuLimit": "1",
+        "headers": {
+          "propagate": [
+            "Authorization"
+          ]
+        }
     }
   deploy: |-
     {